Xls.Dropper.Agent-7144916-0 — Office (OLE) malware analysis

Static analysis result for SHA-256 fe4ab29791b50cd7…

MALICIOUS

Office (OLE)

176.4 KB First seen: 2019-04-17
MD5: ae069ddb6b4c686ef462c12e031089a0 SHA-1: 8b4b5b9a2b6731a91510af58b80460417bd10a12 SHA-256: fe4ab29791b50cd7c98492e976927e6820e8633384d8be39e644fd0c7f91ad76
288 Risk Score

Malware Insights

Xls.Dropper.Agent-7144916-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer T1059.005 Visual Basic

The sample is identified as a malicious OLE document by ClamAV, specifically 'Xls.Dropper.Agent-7144916-0'. Static analysis reveals a large slack space and an appended executable payload, indicating it functions as a dropper. The embedded PE executable confirms the presence of a secondary stage. Although the VBA macros are minimal, the overall structure and embedded executable strongly suggest a spearphishing attachment designed to deliver malware.

Heuristics 7

  • ClamAV: Xls.Dropper.Agent-7144916-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Dropper.Agent-7144916-0
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 180,659 bytes but its declared streams total only 12,223 bytes — 168,436 bytes (93%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • OLE file has appended executable-looking payload bytes high OLE_APPENDED_PAYLOAD
    OLE compound file contains a large high-entropy region beyond the declared major streams and that region includes shellcode, PE, or loader API markers. This is a payload-carrier signal, not a specific CVE attribution by itself.
  • VBA project contains no executable statements low OLE_VBA_MACROS
    Document contains a VBA project, but extracted modules only contain attributes/options/comments and no executable statements.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 671 bytes
SHA-256: 951208b608f8616684e7f652db35c4e21fc13440c541a1e128fc5562ec7888f1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Control = "TreeView1, 1, 0, MSComctlLib, TreeView"

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
embedded_office_000101b3.exe embedded-pe Office MZ+PE at offset 0x101B3 114688 bytes
SHA-256: 9500ead020d4608653c4b28e3315d1af49eafec7280fe6c606643e0bb5cf35ab

Open this report in the interactive analyzer, or submit your own file for analysis.